When is it OK? Profiling Within your Organization

Firstly, I want to state clearly that this article is meant to be a discussion point.  The topic of profiling can be touchy.  I want to talk about aspects of this topic and how I believe there is space within cyber-security for profiling.

Thanks.

The more I study about cyber-security the more it intrigues me and spurs me on to want to learn more.  Again and again I find that as a cyber-security professional one has to toe-the-line on what is "good" and "bad".  If I learn about a tool where it's predominant purpose is too steal credentials is it wrong to learn about such a tool?

No.

If I use that knowledge maliciously on a network I have crossed the line though.

Cyber tools, like a hammer, can be used for good or ill.

Profiling can be a tool for protecting your organization.

The dictionary defines "Profiling" as such:

"The recording and analysis of a person's psychological and behavioural characteristics, so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

As a society we are prone to use profiling in a negative way (racial profiling, gender profiling, etc.)  These are not acceptable. 

Let's look at the definition of profiling and pull it apart too see if there is any usable pieces as a security professional.

"analysis of psychological and behavrioural characteristics..."

Psychology would be how we handle the world around us.  When presented with a situation, what are we thinking and feeling at that moment?  Behavioural is our actions, when I have an experience I feel and think (psychology) and act on those feelings (behaviour).

I believe this to be a basic fact of humanity.  

This cause and effect relationship between feelings and acting plays out dramatically different between people.  How I respond to a news article about violence at the capitol may be drastically different then someone who grew up in an area where people sympathize with the rioters. 

and on

and on 

and on. 

...so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

To assess or predict capabilities in a certain sphere.  The sphere of reference that we are talking about today revolves around cyber-security and your organization.  

Is it possible to determine who within your organization is a higher risk for allowing unintentional security breaches?...so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

I believe yes.

For anyone who has spent any amount of time in IT you will know what I mean when I refer to repeat offenders (users).  Those users who seem to always be patient zero for new malware in your network environment.

After seeing malware over and over again I began to noticing behaviour trends/patterns in users.

Here are some things to watch for with users that can (not guaranteed) make them a higher risk for malware/security breaches:

1. Age:  Being of a certain age does not necessarily mean that you are going to be the target of attack.  However I have noticed that for folks who have not grown up under the shadow of ever present technology they tend to be pretty trusting and surprised when the Nigerian prince asking for money isn't real.  I'm not trying to be ageist, in fact I have experience a lot of younger people fall victim to phishing scams.  

It's at this point that I think people will be most up in arms.  I am not saying that being "old" or being "young" is bad, by no means.  All I am saying is that the people who want to attack your company are thinking this way.  It is prudent to at least consider the attacker mindset.

2. Position: Specifically people who are higher up the ladder tend to be a high risk because their access to critical assets is greater.  Hence why spear phishing an organization goes better if you can spoof the bosses email.

I have also seen "lower" positions be prone to attack.  Sometimes people in ground level roles are less invested in an organization....sometimes...not always.  Their position maybe temporary.  The nature of their role means that assets they interact with on a daily basis are potentially not mission critical.  Sometimes this scenario can lead to people letting their guard down.  "I'm not very high on the food chain here, what damage could I do?"

3. Technical Aptitude: I have had many users confess to me that they are bad with computers.  This in itself means that these users are a higher probability of compromise.

---------

Notice that gender and race didn't enter the list (Age/Position/Tech Aptitude).  In my experience these are not consistent recurring factors that increase a user's probability for compromise.

The only caveat to the previous statement would be spear-phishing.  Perhaps an attacker has done their research on me (LinkedIn/Facebook/etc.) They know my gender and race and craft a very specific email. Then there is an increase risk, however that is the exception not the norm.

I believe you can take those three topics I listed and come up with subgroups with specific behaviour traits.  I've seen it all.

---The young guy who has a higher power job, thinks he's untouchable, a little cocky, minimal tech skills.

---The middle aged father, middle of the pack role at a company, absolutely no tech skills/awareness

---The ready to retire, CEO, could care care less if he/she ever sees let alone uses a computer, "My assistant does that work".  "What's this new thing called Social Media"

So What Now?

Well, as a security professional knowing this is half the battle.  It isn't wrong to suspect that someone is a higher risk for compromise.  If you treat them with a lack of respect that would be wrong.  

Treat them like every other user and accept that you cannot not change them.  What you can do though, is mitigate risk.

With these folks the best, I mean the absolute best thing you can do (on top of using security best practices that are associated with their industry and your own security best practices) is EDUCATION.

Honestly if you have these high risk repeat offenders attend an education session on the dangers of Ransomware and you show them some real facts about how bad it is it can be enough to scare some folks in to being more vigilant.

Conduct practice sessions where people try and determine phishing scams from real product offers.

You can't make people change, but if you can at least get one high risk repeat offender to independently hover over that shiny link and choose not to click it you should consider that a victory

In summary:

It's ok to think in your mind that someone might be a higher security risk.  Don't treat them any differently then other users.  Educate them on the hazards of the cyber world and this simple act will make a world of a difference.

Thanks for reading

Andrew Campbell